It is possible to go from Frame 2 to Frame 1 just by guessing the value of the sum I3+D5, that we will call X (one of 256 chances). X=I3+D5

D0 to D4 remain the same.

R5 = I3 + K5 = I3 + (D5+D5) + K5 = (I3+D5) + (D5+K5) = X + S5.

R6 to R8 are computed by reversing one crc step based on the value of X. There's a correspondence among I2-I0 and J3-J1 because crc shifts them back but D5 “pushes” them forward again. They are not necessarily keeping the same values, but their difference depends only on X, which we have guessed.

J0 depends only on X. K9 = S9 + J0. We have guessed the last message byte and the last byte of keystream.

We will guess X by trial and error. The access point must discard invalid frames and help us in guessing the value of X.

By doing this, we have found a valid frame 1 byte shorter than original one, and we have guessed one byte of keystream. This process can be induced to get the whole keystream.